Hi Manav, I am sure errors can creep past CRC32 algorithms. What I am saying is by still having it, it provides anotehr level of security.
Thanks, Vishwas On Tue, Jan 18, 2011 at 9:52 PM, Bhatia, Manav (Manav) <[email protected]> wrote: > Hi Vishwas, > > I think computing the checksum when we're already computing the hash is > redundant. There are lot of errors that can slip past the internet protocol > checksum that currently exists and a lot of work has been done describing > this. One such, wildly referred paper is this: > > Stone, J., Greenwald, M., Partridge, C., and J. Hughes, "Performance of > checksums and CRC's over real data", IEEE/ ACM Trans. Netw. vol > 6, num 5, pages 529-543, 1998, <http://dx.doi.org/10.1109/90.731187> > > In fact, there are several people who turn on cryptographic authentication > only to detect errors that slip past OSPF's current checksum algo. I had > posted a question on NANOG some time back and I had received a few responses > where people said that they did what I have just described above. So, I don't > think we should do checksum if we're already doing crypto authentication - I > thinks its redundant and doesn't help in any way. > > There is also a draft motivated by this which was presented in the last IETF. > http://tools.ietf.org/html/draft-jakma-ospf-integrity-00 > > Cheers, Manav > >> -----Original Message----- >> From: Vishwas Manral [mailto:[email protected]] >> Sent: Wednesday, January 19, 2011 10.50 AM >> To: Bhatia, Manav (Manav) >> Cc: Rajesh Shetty; Acee Lindem; [email protected] >> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 >> >> Hi Manav, >> >> I dont think you gain much by not calculating checksum. >> >> You gain a lot as any issues with the authentication algorithm like >> MD5, the checksum is another level of protection. >> >> Thanks, >> Vishwas >> >> On Tue, Jan 18, 2011 at 8:44 PM, Bhatia, Manav (Manav) >> <[email protected]> wrote: >> > Hi Rajesh, >> > >> > Yes, you are right. We should add text that says that >> checksum SHOULD not be computed and verified when an >> authentication trailer is attached to an OSPFv3 packet. >> > >> > Cheers, Manav >> > >> >> -----Original Message----- >> >> From: [email protected] [mailto:[email protected]] On >> >> Behalf Of Rajesh Shetty >> >> Sent: Wednesday, January 19, 2011 10.09 AM >> >> To: 'Acee Lindem' >> >> Cc: [email protected] >> >> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 >> >> >> >> >> >> Dear Acee, >> >> >> >> Just a discrepancy between ospfv2 and ospfv3: >> >> IN OSPFv2 cryptographic authentication, checksum filed is set >> >> to zero. IN >> >> OSPFv3 authentication Trailer, both cryptographic >> authentication and >> >> checksum are calculated. Checksum in OSPFv3 covers ipv6 >> pseudo header, >> >> entire ospf packet. Covering ospf packet might not be >> >> necessary in this >> >> scenario since cryptographic authentication already covers >> the same. >> >> >> >> >> >> Thanks >> >> Rajesh >> >> >> >> >> >> This e-mail and attachments contain confidential information >> >> from HUAWEI, >> >> which is intended only for the person or entity whose address >> >> is listed >> >> above. Any use of the information contained herein in any way >> >> (including, >> >> but not limited to, total or partial disclosure, reproduction, or >> >> dissemination) by persons other than the intended recipient's) is >> >> prohibited. If you receive this e-mail in error, please >> >> notify the sender by >> >> phone or email immediately and delete it! >> >> >> >> >> >> -----Original Message----- >> >> From: [email protected] [mailto:[email protected]] On >> >> Behalf Of Acee >> >> Lindem >> >> Sent: Friday, January 07, 2011 8:39 PM >> >> To: Bhatia, Manav (Manav) >> >> Cc: [email protected]; Vishwas Manral >> >> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 >> >> >> >> Actually I was just making sure everyone was paying attention >> >> :^) Since I'm >> >> an author, I'll validate with Abhay and Stewart but I think >> >> we can move >> >> forward and make this a WG document. >> >> >> >> >> >> Thanks, >> >> Acee >> >> >> >> On Jan 6, 2011, at 8:46 PM, Bhatia, Manav (Manav) wrote: >> >> >> >> > I am sure Acee meant that the he and the authors would like >> >> to see this >> >> draft adopted up as a WG draft. >> >> > >> >> > I agree with that sentiment and would request this to be >> >> accepted as a WG >> >> document. We've had several mails in the past where this work >> >> was supported >> >> and none that was against. >> >> > >> >> > Cheers, Manav >> >> > >> >> >> -----Original Message----- >> >> >> From: Acee Lindem [mailto:[email protected]] >> >> >> Sent: Friday, January 07, 2011 2.11 AM >> >> >> To: [email protected] >> >> >> Cc: Bhatia, Manav (Manav); Vishwas Manral >> >> >> Subject: Supporting Authentication Trailer for OSPFv3 >> >> >> >> >> >> Speaking as WG Co-Chair: >> >> >> >> >> >> At the last OSPF WG meeting, there was some interest in this >> >> >> draft. I'm now asking for opinions for and against. >> >> >> >> >> >> Speaking as a WG member: >> >> >> >> >> >> The authors (myself included) would not like to make this a >> >> >> WG draft. On the OSPF list and at the OSPF WG meeting, the >> >> >> only dissent was on along the lines of making IPsec >> >> >> (including IKEv2) work better with OSPFv3 rather than doing >> >> >> this. I don't disagree that this should be a goal but I don't >> >> >> think it should preclude this work. >> >> >> >> >> >> Thanks, >> >> >> Acee >> >> >> >> _______________________________________________ >> >> OSPF mailing list >> >> [email protected] >> >> https://www.ietf.org/mailman/listinfo/ospf >> >> >> >> _______________________________________________ >> >> OSPF mailing list >> >> [email protected] >> >> https://www.ietf.org/mailman/listinfo/ospf >> >> >> > _______________________________________________ >> > OSPF mailing list >> > [email protected] >> > https://www.ietf.org/mailman/listinfo/ospf >> > >> _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
